Category Archives: Uncategorized

U.S. Air Force Major George Filer belongs to the generation of pilots and airmen who first became aware of the strange aircraft showing up in the Earth’s atmosphere after World War II.

These men – military professionals who flew planes, commanded ships, served as radar operators and air traffic controllers at air fields around the world – began to whisper amongst themselves about encounters with suspected extraterrestrial aircraft. During secret debriefings at U.S. bases, pilots and air crew told their commanders of seeing strange lights at night and in the daylight, groups of saucer- or cigar-shaped craft that easily paced them just a few yards off their plane’s wingtip.

Award-winning investigative reporter John Guerra spent four years interviewing Filer, a decorated intelligence officer. From objects in the skies over Cold War Europe to a UFO overflight during the Cuban Missile Crisis to strange lights over the DMZ during the Tet Offensive, Filer leaves nothing out about his Air Force UFO encounters, providing Guerra all the amazing details of his six decades investigating extraterrestrials and their craft. Filer’s most memorable case – the shooting of an alien at Fort Dix Army Base in 1978 – is fully recounted for the first time in this book.

Filer – who readers have seen on countless UFO documentaries – is also a member of the Disclosure Project, the famous panel of military experts, astronauts, and scientists that urges the U.S. government to release all it knows about UFOs to the public.

Then, in the fall of 2017, the Pentagon released the F-18 gun camera footage of what can only be described as an extraterrestrial vehicle outperforming U.S. Navy fighters off San Diego …Keys writer John Guerra’s biography of real-life Air Force UFO investigator Maj. George Filer is now out on Amazon. Filer leaves nothing out about his own UFO encounters on the ground and in the air, providing Guerra all the important details of his six decades investigating extraterrestrials and their craft.

How will GRC roles evolve in the coming year? What are the weak links to watch out for? Find out in MetricStream’s report on the trends and predictions for 2019. The future of GRC will not just be about managing known risks or monitoring compliance. It will be about sustaining an organization’s social license to operate.

Balancing Value Protection and Value Creation As enterprises strive to stay ahead of the curve, GRC executives will be expected to go beyond their traditional roles as the guardrails of the organization and become enablers of business performance and growth. They will need to find a balance between protecting value and creating it; between being the voice of reason in the C-suite and enabling the business to take the requisite risks to achieve the desired rewards. CROs, for instance, will be called on to help leadership teams decide when to launch a new product, or which markets to target first based on the associated risks and opportunities. In doing so, they will be seen as enablers of innovation.

Truth-tellers and Strategic Advisors

Boards will demand more transparency. They will want to respond more proactively to potential risks and opportunities. Therefore, CROs, CCOs, CAEs, and CISOs will need to deliver insights that are forward-looking, actionable, and performance enabling. They will also need to become better story-tellers, communicating their message clearly, succinctly, and in a way that the board can understand and act on. To support these efforts, new generations of GRC solutions will be designed to predict potential risks with greater accuracy and speed than ever.

Leading from the Front

More risk and compliance responsibilities will move down into the first line of defense. But first, organizations will need to think about how GRC can be adapted to the first line, not how the first line should adapt to GRC. How can GRC be made so intuitive that it becomes a seamless, almost inherent part of employee routines? The answers, to some extent, will lie with technology. GRC tools will increasingly be layered into the systems used by the first line in such a way that when an employee is confronted with a potentially risky or non-compliant transaction, the underlying technology will automatically trigger checklists and workflows to guide the employee towards making the right decision.

GAN Integrity this week launched its Risk Management module that builds on GAN’s all-in-one compliance platform. GAN designers say the module is designed to integrate seamlessly with the rest of GAN’s compliance components, so users can make strategic, data-driven decisions based on a holistic and real-time view of all compliance-related activities.

Companies can customize how they frame their risk management and shift to a dynamic approach. The tool complements annual risk assessments and helps compliance teams take action on next steps, company officials said.

“As an organization’s risk management evolves, so does GAN’s tool configuration, enabling real-time identification, assessment and management of all risks,” said Valerie Charles, chief strategy officer for GAN Integrity. “It empowers compliance teams to focus on what matters with technology that enables them to proactively manage any compliance issue that arises, at anytime, anywhere.”

Monitor: The module tracks compliance risks in real time using a heat map that enables a company to instantly react to critical changes to risks throughout the business. All changes and activity are saved for later reference.

Evolve: The module automatically updates risks based on changes to the business.

The Panasonic enforcement action in April — resulting in $280 million in penalties and disgorgement to the DOJ and SEC — offers almost every lesson a compliance officer might want to discuss about anti-bribery programs.

First, due diligence matters all the time, all the way down

As often happens with anti-bribery offenses under the FCPA, bribes were relayed to government officials through intermediaries and sales agents. Multiple agents working for Panasonic failed the company’s internal due diligence checks and parted ways with the company — and were then hired back as subcontractors, with a sales agent that had passed the due diligence.

That scenario underlines the point of what due diligence truly is: an effort to expel corrupt third parties from the enterprise permanently, rather than a simple background check to be performed at one moment in time.

If the mantra is, “Companies don’t commit crime; people working for companies do,” then due diligence programs should flag specific high-risk people and ensure they don’t work on behalf of the organization. That can require language in contracts with other third parties (to avoid subcontractor risk), follow-up audits, and similar measures.

Second, accounting controls also matter

Panasonic engaged in considerable books-and-records violations both to mask the improper payments and to inflate revenue and pre-tax income by recognizing revenue early. Panasonic ultimately paid more than $1.75 million to supposed sales agents who provided few (if any) actual services. None of that was properly recorded in the company’s books.

Moreover, Panasonic employees knew about, and concealed, the scheme to sub-contract the sales agents who had been terminated. The third party that employed those sub-contractors was paid from a Panasonic budget line under the sole control of a senior Panasonic Avionics executive, with no oversight from anyone else at the company.

Proper accounting controls are crucial to effective FCPA compliance, since they can choke off the supply of money necessary for criminal violations. For example, a company could require multiple executives to counter-sign any payment above, say, $50,000; and require documentation that the party receiving that money has delivered the services promised.

Compliance with the civil side of the FCPA (implementing strong accounting controls) supports compliance with the criminal side (not paying bribes).

Third, leadership works if the first two issues to matter.

Large organizations are always porous collections of people and business practices. Even the most exhaustive controls, policies, and procedures leave some crack where misconduct can sprout. Strong ethical leadership is the sealant that tries to fill those cracks. The absence of strong leadership does the company no favors.

In Panasonic’s case, an internal audit in 2010 flagged potential problems with high-risk agents, and that report was circulated among senior executives. No follow-up happened for years.

Panasonic didn’t disclose the misconduct voluntarily. Only when the Securities and Exchange Commission began requesting documents did Panasonic admit potential problems and begin cooperating. That said, after the investigation began Panasonic did cooperate fully, including a thorough internal investigation and providing foreign employees for interviews with the Justice Department.

“We created a GRC summit where we could gain feedback from thought leaders and practitioners in the room,” Kapoor said. “It was intensive, with some 500 people representing 300 small to large companies representing a number of different industries – the main takeaway is that we’re all on the same journey.”

To set the stage for discussion, MetricStream announced its new tagline: “Perform with Integrity.”

“That mirrors the desire that companies have to raise performance while maintaining integrity in several aspects of the GRC model.”

According to Kapoor, companies both large and small worry about maintaining not only the integrity of their data, but their company’s integrity in the eyes of their customers who too often find they can’t trust companies to protect their personal data. Top executives at Uber, Facebook, Wells Fargo, and other companies have been summoned before Congressional hearings to answer for misuse of customer data.

“For the last two years, there have been huge breaches of trust when it comes to high-performing companies and major banks,” he said. “Companies are ensuring their GRC platforms are built for performance and integrity, and that’s in addition to preventing bribery, money laundering and other ethical problems. For the companies at our summit, maintaining the trust of their customers topped the list.”

The largest companies at the MetricStream summit said they designed GRC systems that would control ethical standards, prevent data breaches and enable them to report problems quickly to customers when they occur, Kapoor said.

“A large retailer in Sweden said their primary GRC strategy is to align systems that build trust with customers,” Kapoor said. “If there is a breach, how do we deal with customers? How do you write GRC to reflect ‘Tone at the Top?’ When your platform lets you document what kind of policies you need or have in place, you can accomplish these controls.”

At one point, the moderator asked for the attendees to stand and sit back down when the moderator hit their chief concern.

“At change and change management, most sat down,” Kapoor said. “Companies have been faced with so much change, that they are looking for the ability to adapt quickly to concerns and write it into GRC applications. For instance Crypto is an issue nobody knows how to handle. Companies are exposed to more risk like that because things are a lot more digital.”

How have the recent privacy and security violations reported in the news everyday changed your company’s behavior? There’s a silver lining to all the doomsday headlines — they should compel stakeholders in your company to pay more attention and provide more buy-in for proactive safeguarding activities against these risks.

How are you going to leverage this opportunity? You need a fresh approach, management support, a solid plan, and comprehensive technology to support all the moving parts involved in setting up an integrated security and risk management program.

As an experienced governance, risk management, and compliance (GRC) consultant and former auditor, I’ve assessed and supported many companies through the challenges inherent to building a mature, enterprise-wide information security risk management program that aligns with global standards and boosts competitive advantage.

One way many organizations are approaching this is through ISO 27001, an international standard for establishing, operating, maintaining and continually improving an Information Security Management System (ISMS).

This standard pushes organizations to move past checking boxes for adherence to controls by promoting a top-down, risk-based approach to developing processes, policies, and controls that specifically address the organization’s information security risks.

Organizations are certified based on adherence to a set of process level clauses (requirements) and controls used to support the processes, and auditors certify against these requirements.

Why try to certify?

I’ve seen a growing number of companies working toward ISO 27001 certification (or towards compliance without undergoing the certification process). Implementing this standard is a highly effective way to build an integrated risk management program by establishing an ISMS.

An ISMS is comprised of the people, processes and IT systems used to apply a risk management program for managing an organization’s most sensitive and valuable data.

Approaching ISMS development in alignment with ISO standards will help your organization protect its critical data and IT assets, build resilience against threats and incidents, and be prepared for challenges and opportunities as they arise.

Even though it is voluntary, ISO 27001 certification is a valuable undertaking for many reasons. ISO 27001 is highly recognized and respected worldwide, encourages continual improvement and serves as a solid foundation for other IT risk and compliance standards and frameworks.

If you can meet the ISO 27001 standard, you are well positioned to comply with most other information security regulations, as well as client information security requirements.

At this point, organizations doing business globally are increasingly encouraged to achieve certification to stay competitive and win new business. As US companies expand operations internationally, they are often forced to comply with additional privacy and security regulations and provide additional assurances to partners and customers.

In addition to being an important indicator of information security maturity, a certified ISMS operates as a marketing tool, and as a seal of approval, providing a competitive advantage over competitors. For evidence of this trend, do a quick search on ISO 27001 certification; note that the results are packed with company press releases announcing certification and re-certification.

A high bar to clear

Many companies struggle to achieve certification. The ISO 27001 standard sets a high bar — it is not a one-and-done, checkbox list of requirements.

It’s a continual living and breathing program that includes understanding interested party requirements, management commitment, cataloging risks, assessing the severity of risks, planning how to remediate risks, and producing documentation to substantiate the risk management activities.

The standard also requires that organizations apply a mindset of continual improvement, where management pushes past program mediocracy and strives to improve the overall health of the ISMS.

Manual approach not working

Traditionally, ISO 27001-related tasks have been performed manually; documents are stored in network file folders or process owner local drives and tasks are managed through spreadsheets, documents and email.

It is nearly impossible for global, digital businesses to keep up using a manual approach, given the complexity of information security programs, the expanding reliance on supply chains and outsourcing, and the criticality of data and IT systems.

The pain points become acute when it is time for auditors to assess a company’s operations. Scrambling to pull together the proper documentation is a time-consuming hunt that distracts staff from core functions and operational improvement work.

An inability to efficiently prove compliance, of course, increases the likelihood of failing an audit.

This dynamic is disastrous enough for mandatory regulations like HIPAA and SOX. When it comes to voluntary standards like ISO 27001, failed audits, runarounds, and tedious tasks kill stakeholder enthusiasm and make it impossible to gain traction.

How can you bring focus and efficiency to your ISMS efforts, so you can build momentum towards certification? The key is to streamline, centralize, and automate.

As a first step, consider your current processes to document and manage ISMS processes. If they are performed through manual ad hoc processes, then departmental segmentation, duplicated efforts, lack of visibility and accountability, and wasted resources are sure to follow.

Integrated systems deliver lasting benefits

This is why a governance, risk management and compliance (GRC) technology platform is so critical to successful ISMS initiatives and efficient compliance programs. These enterprise software suites are comprised of interoperable tools that all types of organizations deploy to help manage risk, demonstrate regulatory compliance, automate business processes, and prepare for audits.

Streamlined documentation and automated tracking are key features of these tools. When a task (e.g., inventory, assessment, remediation workflow, exceptions approval, policy review, etc.) is performed within the tool, the tool automatically retains the required evidence, allowing GRC teams to gain significant efficiencies.

In contrast, if you’re performing or documenting that task in Excel, it’s nearly impossible to show when or by whom that task was completed.

GRC platforms do far more than establish evidence repositories. They support the work of integrating processes, policies, and controls across departments and business units, which is essential to extending comprehensive risk management throughout the value chain.

Digitally linking processes to risks you identify, to policies you create, and to control procedures you administer weaves a tighter web of protection and oversight. I see the “shall” requirement statements — the standards set by ISO 27001 and other security and risk management frameworks — as objectives.

The processes, procedures, and controls you put in place and maintain with the help of a GRC platform determine if you will achieve those objectives, and how expedient you’ll be getting there.GRC as instrumental

GRC platforms, when combined with sufficient staff and expertise and supported from the top down, are instrumental in many ways. Whether your organization is building an ISMS from the ground up, seeking a better method for managing and integrating security and risk activities, or trying to streamline the audit process after certification, manual processes will no longer suffice.

Your team can leverage a GRC platform’s capabilities to manage regulatory requirements, policies and procedures, risk assessments, third parties, incidents, asset repositories, vulnerabilities, audits, and business continuity. When deployed across the organization, GRC technology systems facilitate collaboration, and increase visibility and accountability. A team attuned to the importance of working together to develop a world-class ISMS can reach compliance and certification more expediently with these capabilities at its disposal.
These benefits are valuable to every organization. Indeed, there are a lot of companies that will follow the ISO 27001 standards without attempting certification, but achieving the certification is the only way to provide assurance that your information security and risk management processes are compliant with the standard.

The public, legislators, and industry organizations are increasingly aware of and reactive to negative news about corporate data breaches, and individual data privacy issues.

Organizations that have built a mature ISMS that matches the standard of excellence set by the ISO will be well-positioned to sustain competitive advantage and protect their assets and reputation in the face of a myriad of challenges.

Jason Eubanks is a CRISC, ISO 27001 Lead Auditor, Principal Consultant at Lockpath, a provider of integrated risk management solutions.

As anyone with an iPhone or Windows PC understands, when Apple or Microsoft issue a new software update, apps and functions that worked fine before suddenly experience degraded performance or simply do not work at all.

There is a parallel for enterprises today as they move to upgrade and migrate to the latest enterprise resource planning (ERP) software from companies like SAP and Oracle. These comprehensive software platforms act like the ‘heart and lungs’ for these companies, managing everything from the supply chain and logistics through to HR and financials.

A key part of ERP software is governance, risk and compliance (GRC) controls, in particular Segregation of Duties (SoD), which are designed to safeguard businesses, investors and customers alike.

At their primary layer, SoD and other access control measures provide checks and balances to prevent careless processes from exposing a business to risks. Taking it a step deeper, these access control measures are carefully designed, systematic rules implemented to keep people from defrauding an organization.

Businesses today count on GRC solutions for their ERP software as an operational necessity — much like encryption or security monitoring. Like these controls, GRC can blend seamlessly into an enterprise and with automation doesn’t have to restrict or slow down daily operations. In fact, without creating additional work for administrators, a system can effectively and automatically check every task employees do in their ERP software.

However, this streamlined process can be disrupted when new functionality is introduced into a system, just like an iPhone or Windows PC update. A good example of this upgrade hazard comes from SAP, one of the main ERP providers with more than 365,000 customers in 180 countries.

SAP Fiori is a new role-based, simplified and personalized user experience interface for SAP. Because SAP’s GRC software is designed around its legacy user interface, the introduction of SAP Fiori can create false negatives around an enterprise’s SoD conflicts.

So how can a business ensure its SAP Fiori solution for access control isn’t missing or mislabeling SoD issues? In the traditional SAP interface, users perform tasks through transactions by selecting them from the menu or entering the transaction code as a shortcut.

SAP’s GRC software then checks these transactions against a list of SoD conflicts to catch combinations of actions that could lead to fraudulent actions. For example, if a user can both create and pay vendors, they could abuse their access power by creating a fictitious vendor to begin funneling money out of the company.

A less extreme example involves flagging authorization risks that circumvent business processes — for example, ensuring managers can’t sign off on their own work. SoD checks are critical in catching these discrepancies for organizations. SAP Fiori, however, functions through service authorizations instead of transaction authorizations. If a user is performing similar tasks like creating or paying a vendor, a transaction start authorization isn’t necessary.

This ultimately means that most SAP GRC solutions can’t monitor for SoD conflicts within Fiori apps, which increases an enterprise’s exposure to fraud. To accurately analyze SoD conflicts and maintain compliance in this SAP example, a GRC solution must check both transaction start authorizations as well as service authorizations.

Within this analysis, a company’s service authorizations will output hash value character codes that correspond to services. To properly interpret these outputs, a company’s GRC team needs to add these codes to its rulebook, essentially creating an ad-hoc SAP Fiori solution for access control.

This can prove challenging because hash values can be system-specific and difficult to connect to the underlying services. Also, manually recreating a complex set of SAP GUI checks in Fiori introduces the opportunity for dangerous errors or inconsistencies — ultimately making maintaining GRC more difficult in the long run.

To close the emerging gap in access controls in this example, businesses need a GRC solution with an included ruleset designed to work across both Fiori and SAP GUI.

This way you can eliminate false negatives, inconsistent security rules, and complex maintenance requirements while protecting the business and ensuring compliance.

As IT departments continue to upgrade software platforms and migrate them to hybrid infrastructures, it is critical for corporate GRC teams to ensure that any upgrades or migrations of ERP or other important software do not create new holes in their SoD processes and expose the company to increased fraud.

Scott Goolik is vice president of Compliance and Security Services at Symmetry. A recognized expert in the field of SAP security and compliance, Scott has over 20 years of expertise in SAP security and is a regular presenter at SAP industry tradeshows and ASUG events.

GDPR is the standard through which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data privacy protection for all individuals within the European Union (EU). It also addresses protecting exported personal data outside the EU.

Maxine Henry, GDPR expert at Reciprocity, says non-EU companies that share data with third parties in the EU must meet the GDPR regulations. Protected data can be anything from a name, a home address, a photo, an email address, bank details, as well as postings on social networking websites, medical information, or a computer’s IP address.

“All our customers are asking about it,” Henry says. “It’s not just for companies in Europe; it has a big impact on U.S. companies doing business with any European citizen. If you are handling trans-border data, it puts you in scope for GDPR.”

Failure to comply can mean a fine equal to 4 percent of a company’s annual global revenue.

Reciprocity is helping its clients meet the May deadline.

“We are talking to companies and showing them how to build their GRC platform to meet the GDPR deadline and help them manage it,” Henry says.

According to Henry, GDPR includes, but is not limited to:

Timely notification of data breaches

A new set of digital rights for EU citizens

Compliance with data requests

Managed consent management tools

Privacy policy announcements and changes

Documented privacy policy changes

Right of access to types of data

As a GDPR expert at Reciprocity, it is Henry’s job to help companies transition to a single tool to manage and link directly to each of the articles of the EU data privacy standard, Henry says.

“First, we go in and ask: Where are you, what the your maturity level of your business, what compliance regulations and frameworks are in place? We ask them whether they have good malware, good security software in place, do you have documented data privacy policies and procedures. If not, they should do that immediately,” Henry says.

“Once you actually understand where they are, we can make recommendations on getting to GDPR.”

According to Henry, Reciprocity’s GRC software is a cohesive system that helps companies manage data, assets, access rights, third-parties, and audit controls.

There is no need for multiple spreadsheets, no SharePoint sites, and no shared folders, all the information is in one spot.

The solution uses dashboards so staff can view which assets hold PII data, track information related to third party vendors, manage notifications and response of individual workers managing the data. It provides a cohesive view across compliance roles, responses to assigned tasks, such as who completes a task.

For example, if the IT director gets a task they respond that they’ve performed the task, a manager with the proper permissions can track whether it’s complete or not.”

As North America suffered under an Arctic freeze last month, IntelligenceBank employees depended on air conditioning to keep the brutal Australian summer.

“We are in the middle of summer, it’s about 97 degrees outside,” says Dominic Gluchowski, IntelligenceBank’s Marketing Director. “But we’re just as comfortable working in the winter in North America, too.”

The company, founded in Melbourne in 2009 with U.S. headquarters in San Diego, is a business process management platform that delivers niche SaaS applications that help teams reduce costs and risk.

IntelligenceBank has a host of GRC contracts in Australia and customers in more than 50 other countries.

The company is in the midst of negotiations to provide GRC and other solutions to other American-based Fortune 500 companies, Gluchowski said.

“In the United States, we’ve secured several great enterprise customers, and it’s full steam ahead with the growing demand of compliance services across organizations in North America.

Conflict of Interest (COI) platforms are some of the company’s best selling solutions. IntelligenceBank’s conflict of Interest software is purpose-designed to enable staff, distributors and the board to easily report potential conflicts and seamlessly create a culture of integrity and corporate responsibility,” Gluchowski says.

“It automates the review and approval of critical gift, financial interests, and relational conflicts. With a real-time audit trail, compliance officers can instantly run custom reports and track actions taken.”

The solution is designed for any organization, but works well for highly regulated industries such as financial services, government, and healthcare where a system of managing disclosures are required.

It helps companies avoid large penalties for non-compliance, Gluchowski says. It’s less expensive than larger platforms that cost millions and 18 months to install and launch.

The IntelligenceBank solution is usually up and running in three or four weeks, he said. “It’s easier to customize, provides granular permissions for specific groups, and automatically escalates to management if someone doesn’t respond.”

With a new year comes a clear-eyed and optimistic perspective – a clean slate, a new leaf, a fresh start. It’s important to leverage these moments of clarity and opportunity into better planning before we are once again swept up in the muddle and rush of the daily grind.

The punishing disruptions of 2017 — hurricanes, massive data breaches, global ransomware attacks, and revelations of gross misconduct across many industries — should compel executives to focus on business continuity planning as they steer their enterprises into the uncharted waters of 2018. The list of new risk management priorities is already growing: GDPR compliance, cryptocurrency hacking, Shadow Brokers exploits, rapid Internet of Things proliferation, and Meltdown/Spectre vulnerabilities.

The disruptions, outages, and disasters capable of significantly impacting a modern enterprise can originate from many sources — internal and external, cyber and physical. The fallout can include damage to property and infrastructure, financial health, operations, and reputation, often in toxic combinations with cascading and unpredictable effects.

Careful, comprehensive risk assessment and detailed incident response planning are crucial to sustaining operations, revenue, and public trust in such a pressure-cooker environment.

Intelligent Risk Assessment

Business continuity/disaster recovery (BC/DR) planning optimizes the capabilities an organization needs to transition expeditiously from business interruption to business-as-usual. Modern enterprises dependent on a hybrid web of digital technology infrastructure and global supply chains cannot expect to respond and recover efficiently without well-rehearsed procedures and enterprise-wide systems.

The number of companies that have done little to none of this essential risk management work is astonishing; EY reports that 40 percent of businesses that experience a disaster go out of business within five years.

Thanks in part to Shadow Brokers exploits, a record-breaking breach at Equifax, and a cover-up scandal at Uber, board members are more attuned to their IT risks and more focused on BC/DR.

Business and IT leaders need to put data-driven processes in place so they know what to expect when risk becomes reality, and can communicate these insights to stakeholders. It’s important to model a variety of scenarios that include predictions about how long outages will last, how services, products, and revenues will be affected, what remediation will cost, and what the regulatory consequences might be.

Begin by planning around common threats and risks and mapping out possible scenarios specific to your company or industry. Prioritize risks such as hacking, fraud, and vendor failure.

Large-scale threats that are less likely but have potentially devastating consequences should still be addressed, especially if your business is particularly vulnerable to hurricanes or geopolitical strife. Initial efforts to mature business continuity should focus on identifying and planning for risks related to cybersecurity fundamentals, internal threats, and third parties.

Prepare for Things to Get Complicated

How do you plan for the unpredictable? This question goes straight to the core of integrated risk management. Only by acknowledging the complexity and interdependencies of modern enterprises – and implementing comprehensive systems and processes designed to find, define, and mitigate risks on a continuous basis – can we begin to develop greater control and agility.

Business continuity and incident response should be continuously optimized through coordinated planning, testing, and evaluation efforts. Controls should be implemented based on risk assessments and implemented through systematized processes that can be tracked and analyzed.

BC/DR plans should be kept up-to-date, incorporating software, infrastructure, vendor, personnel, and regulatory changes in addition to shifts in enterprise offerings, consumer priorities, and markets. To address third-party risk, include resiliency-oriented planning up front in contracts, negotiations, and acquisitions. Consistently enforce high standards for security-by-design, especially with IoT vendors and implementations.

Finally, when considering how to mitigate the impact of negative events, don’t forget to think through the cascading effects. Business operations depend on an ecosystem comprised of people, process, and technology and controlled internally and externally.

In the midst of executing core BC/DR plans to get operations back to normal, executives and managers will also have to communicate with various stakeholders and resolve issues related to employees, customers, supply chain partners, health and safety, and regulatory compliance.

Resiliency Builds Trust

In times of opportunity, disruption, and disaster, the best outcomes are only possible when everyone pitches in. Resiliency requires vision, leadership, and investment. Because BC/DR program effectiveness impacts everything from the bottom line to brand reputation, initiatives should involve a broad selection of business and operations managers.

Our digitally transformed economy relies on public trust. Vulnerabilities evolve and overlap, attackers grow more sophisticated, and the public becomes wary (and weary) as headlines highlight dangers around every Internet corner.

As partners and consumers become more aware and discerning, they begin to see insufficient risk management, sloppy security protocols, and non-compliance with industry standards as willful negligence.

There’s a lot of work to be done. Business resiliency start with good governance practices. Governance, risk management, and compliance (GRC) initiatives may not be perceived as exciting, but they are essential. We use automation and advanced analytics to enhance marketing, R&D, infrastructure management, logistics, and so much more.

We must similarly support GRC and IT security teams by investing in intelligent, flexible software platforms that streamline and centralize the systematic assessment, tracking, and remediation of risk across the enterprise.

Data and digital systems are critical to business operations. To keep everything running, we have to achieve levels of visibility and control that are only feasible through a combination of technology support, responsible leadership, and an enterprise-wide commitment to maturing resilient response and recovery capabilities.

Sam Abadir is the vice president of Industry Solutions at Lockpath, a leading provider of compliance and risk management software

How to submit story ideas, news tips and analysis

Contact us at editorial@fraudjournals.com. We also welcome news about software releases, conferences, events and new business partnerships. Please provide contact information and when appropriate, a photograph and two-sentence author bio.